TARGETED CYBER ATTACKS ANATOMY, VIVISECTION AND PROTECTION

Sergey Gordeychik

Deputy CTO, Kaspersky Lab

Targeted Attack Discovery

APT Advanced threats Intelligence

Abnormal Behavior Threat Hunting

The case of the

CRYPTOBANK

INVESTIGATION RESULTS

3

1000 workstations, 200 servers

2 weeks of unsuccessful encryption attempts

Backups servers hacked also

FDE tool/unique encryption key for each device

PowerShell scripts…

TTP

4

Enterprise wipers/cryptors

Black Energy

HDDCryptor

Shamoon 2

…

Full disk encryption

Malware-less

“Tailored” encryption

https://kas.pr/aAg2

PowerShell scripts?..

PowerShell scripts?..

INVESTIGATION RESULTS

9

The initial breach occurred 6 months before

Spear phishing “from” jd@wincor-nixdorf.net

Cobalt Strike beacon

Privilege escalation (Mimikatz, Pass-the-Hash)

Access to ATM management station

Silence…

15 countries

Near East

Asia

East/West Europe

Russia

40+ banks

XFS ATM withdraw

sdelete.exe wipe

“Offensive Security Certified” hacking

CYBER THREAT VELOCITY

https://www.youtube.com/watch?v=e50DpEvKJ-k

TECHNIQUES, TACTICS AND PROCEDURES

12

Pentest-style attack

Massive breach post processing

Targets selection and profiling

Black market

Remote access

Insiders

Passwords

Drops

Organized activity

http://www.scmagazine.com/kaspersky-confirms-return-of-carbanak-and-two-more-banking-apt-groups/article/472224/ https://en.wikipedia.org/wiki/2016_Bangladesh_Bank_heist https://www.elevenpaths.com/wp-content/uploads/2016/11/Financial_Threats_Q3-2016_EN.pdf https://www.bleepingcomputer.com/news/security/polish-banks-infected-with-malware-hosted-on-their-own-governments-site/

THREAT VELOCITY

ATM

+15 Countries

Swift

Poland

..

Local payment systems

We don’t know yet…

The case of the

https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx

OOPS, THEY DID IT AGAIN

16

Domain controllers under control since 2013

psexec for lateral movement

Steganography for C2 communications

Checks for (only) Qihoo 360 AV

3 days for ”do it again” after cleanup

• Trusted domain in daughter company

• Overseas branch

• Backdoor VPN channel

THEY NETHER GIVE UP

17

You don't have to be a target to be a

victim

Supply chain attack

Multiply C2 channel

Malware-less attacks

Server side implants

Taidoor/ Whitewhile

Poisoned Flight/Elirks

PlugX/ ZeroT

TropicTrooper

https://www.hackread.com/mirai-botnet-linked-to-dyn-dns-ddos-attacks/

http://census2012.sourceforge.net/paper.html

A THOUSAND BATTLES, A THOUSAND VICTORIES

THREAT HUNTING

21

https://sqrrl.com/solutions/cyber-threat-hunting/

Cyber threat hunting is

the practice of

searching iteratively

through data to detect

advanced threats that

evade traditional

security solutions.

WHY THREAT HUNTING?

22

Minimize residual risks

Minimize time between attack and detection

Unknown targeted attacks detection

TTP based detection

“Time machine” for evidence analysis

Non-malware attacks detection

Iteratively process

Se

curi

ty T

oo

ls

Mo

nit

ori

ng

H

un

tin

g

Prevention

Threat hunting

SOC Alerting

Risks

http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf

https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785

http://info.isightpartners.com/definitive-guide

Eric M. Hutchins∗ , Michael J. Cloppert† , Rohan M. Amin, Ph.D.‡ Lockheed Martin Corporation

http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf

https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785

http://info.isightpartners.com/definitive-guide

Eric M. Hutchins∗ , Michael J. Cloppert† , Rohan M. Amin, Ph.D.‡ Lockheed Martin Corporation

FROM THE OTHER SIDE OF THE FENCES

https://securelist.com/blog/virus-watch/74150/plugx-malware-a-good-hacker-is-an-apologetic-hacker/

SANS 2016 (THREAT HUNTING, MDR*)

https://www.sans.org/reading-room/whitepapers/threats/automated-defense-threat-intelligence-augment-35692

DAVID BIANCO - PYRAMID OF PAIN

https://securelist.com/blog/research/77403/fileless-attacks-against-enterprise-networks/

WHAT DO WE NEED/HAVE?

Hypothesis

Security assessment

SOC practice

APT/Breach reports

Situational awareness

Analytics

Machine learning

Linked data analysis

IOC

Data feeds: MAF, C&C, pDNS, etc.

White lists

Popularity

Similarity

https://www.gartner.com/doc/reprints?id=1-2WQY2BI&ct=160121&st=sb

THREAT HUNTING CYCLE

Goals Priorities

Detect scenarios

Scenarios deploymen

t

Detection Evidence collection

Data analysis

Validation

Categorization

Prioritization

Live response

Memory dump

Disk dump

Malware analysis

Live response analysis

Forensic examination

Network forensics

Host forensics

THREAT HUNTING (PAIN) CYCLE

Goals Priorities

Detect scenarios

Scenarios deploymen

t

Detection Evidence collection

Data analysis

Validation

Categorization

Prioritization

Live response

Memory dump

Disk dump

Malware analysis

Live response analysis

Forensic examination

Network forensics

Host forensics

How to deliver quickly?

How and with what to detect? TP or FP?

“tailored” for me or seen before? Is this really important?

How? Tools to use?

What really has happened? How to withstand in the

future?

Who? How and with

what? Attack goals?

IMPLEMENTATION: THREAT INTELLIGENCE PLATFORM

32

Leve 1: TI Farm

pDNS

Files IoC

C&C

Distributed SandBox

Ext. IoCs

Level 2: TTP

ML

Objects (MD5, FQDN)

Events

SOC practice

IR, DF

Security Assessment

Objects behavior (system, network,

identity)

Object tags

Manual analysis

Suspicions objects Suspicious behavior

Level 3: Analyst

Sandbox/КАТА

AV

IR team

WL

APT Hunt

Automatic analysis

Exploit detection

THREAT HUNTING FUNNEL

CYBER THREAT HUNTING ”TOOLKIT”

34

Intelligence

• TTP: Incident Response/Pentest cases

• MRTI: Feeds

Sensors

• Host

• Network

• Infrastructure

• Apps

Collection and analysis

• Collection cloud

• Storage

• Analytical engine(s)

Threat Hunting Team

SOC/IR/THREAT HUNTING

Goals Priorities

Detect scenarios

Scenarios deploymen

t

Detection Evidence collection

Data analysis

Validation

Categorization

Prioritization

Live response

Memory dump

Disk dump

Malware analysis

Live response analysis

Forensic examination

Network forensics

Host forensics

Threat Hunting

Incident Response

Monitoring

THREAT HUNTING…

36

Helps to detect new threats

On the top of SOC

TTP based detection

“Time machine”

Non-malware attacks

Iteratively process

Pain cycle

https://www.linkedin.com/pulse/threat-hunting-reference-model-part-2-loop-ely-kahn

37

Know the enemy

Know you self

Follow tends

Use what you have

Looks forward

Remember the past

Hunt the hunters

SILENCE IS A SCARY SOUND

BE SAFE! Sergey Gordeychik

1337@kaspersky.com

@scadasl

Targeted Attack Discovery

APT Advanced threats IT issues

Abnormal Behavior Internal threats